summaryrefslogtreecommitdiff
path: root/program/steps
diff options
context:
space:
mode:
authorthomascube <thomas@roundcube.net>2008-09-16 13:02:53 +0000
committerthomascube <thomas@roundcube.net>2008-09-16 13:02:53 +0000
commit36c236eee7529eae962d7e7c5ec925d2d417c7b8 (patch)
treec72d13fb79fd2b36c2b3c4e087cac6e2ac19eab8 /program/steps
parent2f746dcd68433804e00285bd7ac6feece1e91074 (diff)
Fix typos + only add callback for style tags when safe-flag is set
Diffstat (limited to 'program/steps')
-rw-r--r--program/steps/mail/func.inc17
1 files changed, 8 insertions, 9 deletions
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 6d23b6f8e..02bc4dce2 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -611,14 +611,13 @@ function rcmail_print_body($part, $p = array())
$wash_opts['html_elements'] = array('html','head','title','body');
}
- // allow CSS styles, will be sanitized by rcmail_washtml_callback()
- if ($p['safe']) {
- $wash_opts['html_elements'][] = 'style';
- }
-
$washer = new washtml($wash_opts);
$washer->add_callback('form', 'rcmail_washtml_callback');
- $washer->add_callback('style', 'rcmail_washtml_callback');
+
+ if ($p['safe']) { // allow CSS styles, will be sanitized by rcmail_washtml_callback()
+ $washer->add_callback('style', 'rcmail_washtml_callback');
+ }
+
$body = $washer->wash($html);
$REMOTE_OBJECTS = $washer->extlinks;
@@ -708,10 +707,10 @@ function rcmail_washtml_callback($tagname, $attrib, $content)
case 'style':
// decode all escaped entities and reduce to ascii strings
- $stripped = preg_replace('/[^a-zA-Z\(:]/', '', rcmail_xss_entitiy_decode($source));
+ $stripped = preg_replace('/[^a-zA-Z\(:]/', '', rcmail_xss_entitiy_decode($content));
- // now check for evli strings like expression, behavior or url()
- if (!preg_match('/expression|behavior|url\(|import/', $css)) {
+ // now check for evil strings like expression, behavior or url()
+ if (!preg_match('/expression|behavior|url\(|import/', $stripped)) {
$out = html::tag('style', array('type' => 'text/css'), $content);
break;
}